Ethical hacking: what is it and where is it used? Who are the white hackers?

[Father]

Table of contents

1. How to become an Ethical Hacker
2. How is hacker ethics measured?
3. Current situation with Bug Bounty in Russia
4. Conclusion

Hacking is a kind of flagship of media information security. Cult films are made about hackers. Many teenagers and aspiring IT professionals are eager to learn how to become a hacker.

Special attention is paid to ethical hacking, as it is not only prestigious, but also legal. The term "ethical hacker" covers many specialists: pentesters, bug hunters, and others. However, their activities are very dependent on the legislation of the country in whose jurisdiction they operate.

How to become an Ethical Hacker​

Formally, as soon as a specialist has joined one of the open Bug Bounty programs and as long as his activities do not violate the rules and regulations, he is an ethical hacker.

If we talk about training programs for hackers, then there are three ways:

1. Get a specialized higher education in the field of information security. Academic education should not be underestimated – it serves as a foundation on which up-to-date working information is layered.
2. Retrain. Ethical hacking courses offer a variety of platforms. For example, Skillfactory. Such courses are positioned as a way to learn from scratch, but they are more relevant for related specialists who want to try their hand at baghunting. For example, for system administrators and testers.
3. Self-education. Those who don't want to pay for an ethical hacker course and are willing to learn on their own can use training platforms like HackTheBox. The success of this approach largely depends on starting positions and perseverance. A number of such platforms also offer free courses on ethical hacking.

The question of ethics and legality plays a big role in training a white hacker. Understanding boundaries and boundaries is a basic skill for any bug hunter. After all, if you cross them – there is a high risk of encountering a lot of unpleasant consequences.

How is hacker ethics measured?​

The prefix "ethical" is a well-established phrase. The measure of a hacker's ethics is his personal moral guidelines or public opinion. In the context of professional activity, it is more correct to talk about the legality or illegality of hacking.

Kirill Romanov
Business Development Manager of the Information Security Department of Sissoft

In world practice, specialists who hack a company's website, business applications, and other online services to detect vulnerabilities to improve security are usually called ethical or white-hat hackers. The phrase "legal hacking" was not widely used. Such "hackers" do not cause damage to the business and do not use the data for their own purposes.

Their task is to identify a vulnerability or bug, report the problem to the pentest customer so that they can fix it and prevent information leakage during an attack by intruders.

Legal hacking is one that complies with all the legal norms of the country in which the hacker operates. Therefore, the first thing a hacker should know is the relevant laws governing their activities.

But even knowing and following all the laws does not guarantee that the actions of an ethical hacker will be misinterpreted. Much depends on how the company in whose infrastructure the vulnerability was found treats this information.

Viktor Chashchin
White Hat Hacker certified Chief Operating Officer of the MULTI-FACTOR company

If we talk about Russia, then in principle a hacker cannot protect his activities from any subsequent claims of the employer. The most typical story: in the course of security research, a hacker stumbled upon a vulnerability that could lead to a leak of confidential information. And the employer can contact the police with a statement that, in fact, the hacker got access to it. Therefore, all such works and contracts are primarily based on trust in each other.

In conditions of a priori imperfection of any legislative system, especially in such dynamically developing areas as IT and information security, the only reliable protection tool is a bilateral agreement between the company and an ethical hacker.

This model is used by pentest specialists. The contract clearly defines the testing methods, its scope, and other parameters. This approach makes it possible to mitigate possible risks during penetration testing.

Evgeny Tsarev
Managing Director of RTM Group, expert in cybersecurity and law

Hacking also involves security analysis - this is a licensed activity. Thus, anyone can not be a hacker outside of special laboratories. For any use of an exploit used by pentesters, an ordinary citizen can be charged with 273 of the Criminal Code of the Russian Federation with all the consequences.

And when it comes to providing a security analysis service, for example, all basic restrictions, powers, etc. are described in the contract. Also, based on the results of work performed, the same pentester makes a detailed report. And if the client further claims that the services provided caused harm to their organization, this still needs to be proved. For this purpose, technical expertise is applied, among other things.

The first thing a hacker should be able to do is calculate risks. Even a relatively legal activity that is not supported by a contract can lead to multiple consequences. The process of legal proceedings is lengthy and resource-intensive.

In the case of baghunting, the wholesale conclusion of contracts is impossible for a lot of reasons. In such cases, special programs are used – Bug Bounty. Its meaning is that the company itself agrees to the study of its system by volunteer specialists and guarantees a reward for found vulnerabilities.

Current situation with Bug Bounty in Russia​

Some large IT-focused companies run such programs on their own. For example, Microsoft or Facebook. But these are rather specific examples, and the world practice is the use of Bug Bounty sites.

There are two high-profile examples of such platforms: HackerOne and Bugcrowd. According to the interaction model, this is a classic work through an intermediary or guarantor. The platform defines the rules of interaction, attracts companies and bug hunters, and makes it possible to safely search for vulnerabilities.

In current conditions, working with foreign sites of this type is very difficult, and for a number of companies it is impossible at all.

The difficulty of working with international platforms has drawn the attention of relevant authorities to the problem of Bug Bounty regulation in Russia. According to Vedomosti, the Ministry of Digital Development is discussing the possibility of introducing the concept of Bug Bounty into the legal field.

Alexander Borisov
Head of Security Analysis, Innostage Group of Companies

Definitely, the appearance of bug bounty will have a positive impact on the formation of the legal field for information security researchers. In addition, this initiative can bring new specialists to the industry, which is currently very lacking, since the very concept of bug bounty implies compensation for identifying significant vulnerabilities.

So far, the agency has not made any loud statements, so it is difficult to judge the level of changes. Perhaps this will be the resolution of minor formalities, which will simplify the interaction of baghunters and companies. For example, creating a legal framework for paying compensation for found vulnerabilities. More significant changes cannot be ruled out.

Alexey Antonov
Managing Partner of Swordfish Security

It is not entirely clear how it is planned to be “legalized " and what it means at the legislative level. Within the framework of the BugBounty programs of the same VK and Yandex, it is legal to carry out such activities, for example. If someone undertakes to test the company's infrastructure independently without a contract, then this is already illegal.

How will the Digital Currency Ministry implement this? It may launch BugBounty for all state services (immediately or in stages, which is more likely) and determine the conditions for its participants. But then we will be talking about a program that has a certain life span, and not about legalizing the concept of white hacking. By the way, this task does not seem quite correct, since over time it will be perceived as a loophole by various attackers. Trying to stay in the legal field, they will commit " gray "and even" black " manipulations.

And it is not clear whether there is a need to legalize white-hat hacking, because today thousands of companies use such services, working with security specialists under contracts.

Currently, the most secure and convenient way for ethical hackers and companies to interact is through Russian Bug Bounty platforms. For example, The Standoff 365 Bug Bounty from Positive Technologies. VK recently announced its participation in the activities of this platform, as part of testing its VK ID product.

Conclusion​

The current political situation has had an important effect on the attitude of the authorities and society to information security. In particular, awareness has grown regarding ethical hacking as a tool for finding vulnerabilities.

At the same time, from the point of view of legislation, the situation is far from ideal. Creating an adequate legal framework may take time. And even after the legislative foundation is created, there are likely to be weak points that can be interpreted not in favor of an ethical hacker.

For those specialists who are thinking about how to become a hacker and start earning large fees, receiving money for finding vulnerabilities, it is important to keep in mind the risks. Because the pursuit of success and reckless actions can lead to spending money on protecting your own name and long legal proceedings.